All large organizations are familiar with and have internal controls implemented within their organizations, especially those that are required to undergo external audits. Despite the fact that most of them are required to, a lot of them do it because of the protection from fraud and serious material errors. The problem is a lot of small companies forgo internal controls because they believe they are either not susceptible to the issues mentioned above, or that it will be too costly to implement. Both of those assumptions would be incorrect.
To understand why internal controls are so important we need not look any further than the ACFE 2016 Report to the Nations that states 83.5% of all frauds are asset misappropriation. Asset misappropriation includes frauds such as check tampering, billing, cash larceny, expense reimbursements, skimming, and payroll. The majority of
these fraud schemes are done through created physical documents, altered physical documents, altered transactions in the accounting systems, fraudulent transactions in the accounting system and so forth. The common denominator among all of these schemes is they either require two people to commit them in the presence of internal controls or they are committed in the absence of internal controls where internal controls would have prevented them. According to the ACFE report lack of internal controls was the primary internal control weakness among victim organizations at 29.3%, and the second most frequent weakness observed was override of existing internal controls at 20.3%.
How can your organization implement a strong set of internal controls without breaking the bank? The first rule of thumb is separation of duties, if someone receives the checks they should not be the same one cashing it. Usually in this case you can have a shared spreadsheet that logs checks, the person who receives it logs it, the person who will be depositing it verifies the amount that is logged. This also means the depositor should not be the signor, or there should be a second signor. Another fantastic control to keep in mind a double approval system; for example, if your organization pays for travel or other expense reimbursements, never underestimate the possibility for collusion or management override. If you require that two people other than the person submitting the reimbursement request must review and sign off on the reimbursement, you have significantly decreased the possibility of fraud or errors. Something that absolutely cannot be overstated when it comes to internal controls is managements review and oversight. If you own your company or are the principal manager you should never assume that the internal controls are working perfectly just because they are in place, think like an auditor, test the controls, assume the role of a fraudster and think of ways that you can possibly beat the internal controls. After you’ve done this discuss it with the accounting staff, let them answer questions on hypotheticals and how they would respond, you will find that your accounting staff may have some great ideas for improving your internal controls, or they will at least let you know where there is a possibility for the controls to break down.
Preventing fraud is a very large part of the battle, and as long as there are people out there who are trying to outsmart the system there will always be the possibility for internal control failure, but we also know that fraud is much less likely in the presence of internal controls. The second portion of fraud is detection once it is happening, I wrote a blog about this a few weeks ago and I encourage you to also take a look at that on some ideas for detecting fraud if it is indeed happening in your organization. The combination of internal controls and fraud detection practices can significantly decrease an organizations exposure to fraud.
Please subscribe to this blog and take the chance to read the ACFE 2016 Report to the Nations for more detailed information on fraud rates throughout the world. As always, if you have any questions or any content you might like to see in the future feel free to comment below or send me an email.